>From 5a97389c5c8ca1b3869b02677d6c352feef93738 Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Fri, 27 Dec 2013 00:28:43 -0500
Subject: [PATCH 08/31] Renamed deny_password_attempts to
accounts_passwords_pam_faillock_deny, moved to shared/
- Renamed XCCDF to match granular configuration setting
- Moved OVAL to shared/, updated CPE info, ln -s to RHEL directories after
testing
---
RHEL/6/input/auxiliary/stig_overlay.xml | 2 +-
RHEL/6/input/auxiliary/transition_notes.xml | 2 +-
.../accounts_passwords_pam_faillock_deny.xml | 49 +---------------------
RHEL/6/input/profiles/CS2.xml | 2 +-
RHEL/6/input/profiles/common.xml | 2 +-
.../6/input/profiles/fisma-medium-rhel6-server.xml | 2 +-
RHEL/6/input/profiles/nist-CL-IL-AL.xml | 2 +-
RHEL/6/input/profiles/rht-ccp.xml | 3 +-
RHEL/6/input/profiles/usgcb-rhel6-server.xml | 2 +-
RHEL/6/input/system/accounts/pam.xml | 2 +-
RHEL/7/input/auxiliary/transition_notes.xml | 2 +-
.../accounts_passwords_pam_faillock_deny.xml | 1 +
RHEL/7/input/profiles/rht-ccp.xml | 3 +-
RHEL/7/input/system/accounts/pam.xml | 2 +-
.../oval/accounts_passwords_pam_faillock_deny.xml | 49 ++++++++++++++++++++++
15 files changed, 65 insertions(+), 60 deletions(-)
mode change 100644 => 120000
RHEL/6/input/checks/accounts_passwords_pam_faillock_deny.xml
create mode 120000 RHEL/7/input/checks/accounts_passwords_pam_faillock_deny.xml
create mode 100644 shared/oval/accounts_passwords_pam_faillock_deny.xml
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml
b/RHEL/6/input/auxiliary/stig_overlay.xml
index 0e77ee6..652ce49 100644
--- a/RHEL/6/input/auxiliary/stig_overlay.xml
+++ b/RHEL/6/input/auxiliary/stig_overlay.xml
@@ -188,7 +188,7 @@
<VMSinfo VKey="38572" SVKey="50373" VRelease="1" />
<title>The system must require at least four characters be
changed between the old and new passwords during a password change.</title>
</overlay>
- <overlay owner="disastig" ruleid="deny_password_attempts"
ownerid="RHEL-06-000061" disa="44" severity="medium">
+ <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny"
ownerid="RHEL-06-000061" disa="44" severity="medium">
<VMSinfo VKey="38573" SVKey="50374" VRelease="1" />
<title>The system must disable accounts after three consecutive
unsuccessful login attempts.</title>
</overlay>
diff --git a/RHEL/6/input/auxiliary/transition_notes.xml
b/RHEL/6/input/auxiliary/transition_notes.xml
index d190b2c..e2f7db6 100644
--- a/RHEL/6/input/auxiliary/transition_notes.xml
+++ b/RHEL/6/input/auxiliary/transition_notes.xml
@@ -9,7 +9,7 @@
<note ref="768" auth="GG" rule="">This is not covered in RHEL 6 content</note>
-<note ref="766" auth="GG" rule="deny_password_attempts">This is covered in
RHEL 6 content</note>
+<note ref="766" auth="GG" rule="accounts_passwords_pam_faillock_deny">This is
covered in RHEL 6 content</note>
<note ref="762" auth="GG" rule="">This is not covered in RHEL 6 content</note>
diff --git a/RHEL/6/input/checks/accounts_passwords_pam_faillock_deny.xml
b/RHEL/6/input/checks/accounts_passwords_pam_faillock_deny.xml
deleted file mode 100644
index c682c33..0000000
--- a/RHEL/6/input/checks/accounts_passwords_pam_faillock_deny.xml
+++ /dev/null
@@ -1,48 +0,0 @@
-<def-group>
- <definition class="compliance" id="accounts_passwords_pam_faillock_deny"
version="1">
- <metadata>
- <title>Lock out account after failed login attempts</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The number of allowed failed logins should be set
correctly.</description>
- <reference source="swells" ref_id="20131025" ref_url="test_attestation"
/>
- </metadata>
- <criteria>
- <criterion comment="pam_faillock.so deny value set in system-auth"
test_ref="test_accounts_passwords_pam_faillock_deny_system-auth" />
- <criterion comment="pam_faillock.so deny value set in password-auth"
test_ref="test_accounts_passwords_pam_faillock_deny_password-auth" />
- </criteria>
- </definition>
-
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="check maximum failed login attempts allowed in /etc/pam.d/system-auth"
id="test_accounts_passwords_pam_faillock_deny_system-auth" version="1">
- <ind:object
object_ref="object_accounts_passwords_pam_faillock_deny_system-auth" />
- <ind:state
state_ref="state_accounts_passwords_pam_faillock_deny_system-auth" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="check maximum failed login attempts allowed in
/etc/pam.d/password-auth"
id="test_accounts_passwords_pam_faillock_deny_password-auth" version="1">
- <ind:object
object_ref="object_accounts_passwords_pam_faillock_deny_password-auth" />
- <ind:state
state_ref="state_accounts_passwords_pam_faillock_deny_password-auth" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object
id="object_accounts_passwords_pam_faillock_deny_system-auth" version="1">
- <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
- <ind:pattern operation="pattern
match">^\s*auth\s+(?:(?:required))\s+pam_faillock\.so.*deny=([0-9]*).*$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or
equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_object
id="object_accounts_passwords_pam_faillock_deny_password-auth" version="1">
- <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
- <ind:pattern operation="pattern
match">^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so.*deny=([0-9]*).*$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or
equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_state
id="state_accounts_passwords_pam_faillock_deny_system-auth" version="1">
- <ind:subexpression datatype="int" operation="equals"
var_ref="var_accounts_passwords_pam_faillock_deny" />
- </ind:textfilecontent54_state>
-
- <ind:textfilecontent54_state
id="state_accounts_passwords_pam_faillock_deny_password-auth" version="1">
- <ind:subexpression datatype="int" operation="equals"
var_ref="var_accounts_passwords_pam_faillock_deny" />
- </ind:textfilecontent54_state>
-
- <external_variable comment="number of failed login attempts allowed"
datatype="int" id="var_accounts_passwords_pam_faillock_deny" version="1" />
-</def-group>
diff --git a/RHEL/6/input/checks/accounts_passwords_pam_faillock_deny.xml
b/RHEL/6/input/checks/accounts_passwords_pam_faillock_deny.xml
new file mode 120000
index 0000000..7555d49
--- /dev/null
+++ b/RHEL/6/input/checks/accounts_passwords_pam_faillock_deny.xml
@@ -0,0 +1 @@
+../../../../shared/oval/accounts_passwords_pam_faillock_deny.xml
\ No newline at end of file
diff --git a/RHEL/6/input/profiles/CS2.xml b/RHEL/6/input/profiles/CS2.xml
index 8bb284c..9d33f72 100644
--- a/RHEL/6/input/profiles/CS2.xml
+++ b/RHEL/6/input/profiles/CS2.xml
@@ -17,7 +17,7 @@
<refine-value idref="var_password_history_retain_limit" selector="10"/>
<select idref="accounts_password_warn_age_login_defs" selected="true"/>
<select idref="account_disable_post_pw_expiration" selected="true" />
-<select idref="deny_password_attempts" selected="true" />
+<select idref="accounts_passwords_pam_faillock_deny" selected="true" />
<select idref="accounts_password_pam_cracklib_retry" selected="true"/>
<select idref="accounts_max_concurrent_login_sessions" selected="true"/>
<refine-value idref="var_accounts_max_concurrent_login_sessions" selector="3"/>
diff --git a/RHEL/6/input/profiles/common.xml b/RHEL/6/input/profiles/common.xml
index 3944bd4..01cb978 100644
--- a/RHEL/6/input/profiles/common.xml
+++ b/RHEL/6/input/profiles/common.xml
@@ -57,7 +57,7 @@
<select idref="accounts_password_pam_cracklib_ocredit" selected="true"/>
<select idref="accounts_password_pam_cracklib_lcredit" selected="true"/>
<select idref="accounts_password_pam_cracklib_difok" selected="true"/>
-<select idref="deny_password_attempts" selected="true"/>
+<select idref="accounts_passwords_pam_faillock_deny" selected="true"/>
<select idref="set_password_hashing_algorithm_systemauth" selected="true"/>
<select idref="set_password_hashing_algorithm_logindefs" selected="true"/>
<select idref="set_password_hashing_algorithm_libuserconf" selected="true"/>
diff --git a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
index 16d7d29..55254b0 100644
--- a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
+++ b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
@@ -78,7 +78,7 @@
FISMA Refine: 3 attempts in 15 min -->
<refine-value idref="var_accounts_passwords_pam_faillock_deny" selector="3"/>
<refine-value idref="var_accounts_passwords_pam_faillock_fail_interval"
selector="900" />
-<select idref="deny_password_attempts" selected="true" />
+<select idref="accounts_passwords_pam_faillock_deny" selected="true" />
<select idref="accounts_passwords_pam_fail_interval" selected="true" />
<!-- AC-7(b)
diff --git a/RHEL/6/input/profiles/nist-CL-IL-AL.xml
b/RHEL/6/input/profiles/nist-CL-IL-AL.xml
index 5e9be13..29103c0 100644
--- a/RHEL/6/input/profiles/nist-CL-IL-AL.xml
+++ b/RHEL/6/input/profiles/nist-CL-IL-AL.xml
@@ -166,7 +166,7 @@ assurance."</description>
<select idref="sshd_disable_root_login" selected="true" \>
<!-- AC-7(a) -->
-<select idref="deny_password_attempts" selected="true" \>
+<select idref="accounts_passwords_pam_faillock_deny" selected="true" \>
<select idref="accounts_passwords_pam_fail_interval" selected="true" \>
<!-- AC-7(b) -->
diff --git a/RHEL/6/input/profiles/rht-ccp.xml
b/RHEL/6/input/profiles/rht-ccp.xml
index 9040055..b6df557 100644
--- a/RHEL/6/input/profiles/rht-ccp.xml
+++ b/RHEL/6/input/profiles/rht-ccp.xml
@@ -10,6 +10,7 @@
<refine-value idref="var_accounts_password_minlen_login_defs" selector="6"/>
<refine-value idref="var_password_max_age" selector="90"/>
<refine-value idref="var_accounts_minimum_age_login_defs" selector="7"/>
+<refine-value idref="var_accounts_passwords_pam_faillock_deny" selector="5" />
<refine-value idref="var_accounts_password_warn_age_login_defs" selector="7"/>
<refine-value idref="var_password_pam_cracklib_retry" selector="3"/>
<refine-value idref="var_password_pam_cracklib_dcredit" selector="1"/>
@@ -59,7 +60,7 @@
<select idref="accounts_password_pam_cracklib_ocredit" selected="true"/>
<select idref="accounts_password_pam_cracklib_lcredit" selected="true"/>
<select idref="accounts_password_pam_cracklib_difok" selected="true"/>
-<select idref="deny_password_attempts" selected="true"/>
+<select idref="accounts_passwords_pam_faillock_deny" selected="true"/>
<select idref="set_password_hashing_algorithm_systemauth" selected="true"/>
<select idref="set_password_hashing_algorithm_logindefs" selected="true"/>
<select idref="set_password_hashing_algorithm_libuserconf" selected="true"/>
diff --git a/RHEL/6/input/profiles/usgcb-rhel6-server.xml
b/RHEL/6/input/profiles/usgcb-rhel6-server.xml
index 4693fae..c8a7bfb 100644
--- a/RHEL/6/input/profiles/usgcb-rhel6-server.xml
+++ b/RHEL/6/input/profiles/usgcb-rhel6-server.xml
@@ -83,7 +83,7 @@
<refine-value idref="var_password_pam_cracklib_difok" selector="3" />
<select idref="accounts_password_pam_cracklib_difok" selected="true" />
<refine-value idref="var_accounts_passwords_pam_faillock_deny" selector="5" />
-<select idref="deny_password_attempts" selected="true" />
+<select idref="accounts_passwords_pam_faillock_deny" selected="true" />
<select idref="set_password_hashing_algorithm_systemauth" selected="true" />
<select idref="set_password_hashing_algorithm_logindefs" selected="true" />
<refine-value idref="var_password_history_retain_limit" selector="24" />
diff --git a/RHEL/6/input/system/accounts/pam.xml
b/RHEL/6/input/system/accounts/pam.xml
index f566344..aacab89 100644
--- a/RHEL/6/input/system/accounts/pam.xml
+++ b/RHEL/6/input/system/accounts/pam.xml
@@ -414,7 +414,7 @@ one to use pam_faillock,
and a second to use unlock_time and set it to a Value
-->
-<Rule id="deny_password_attempts" severity="medium">
+<Rule id="accounts_passwords_pam_faillock_deny" severity="medium">
<title>Set Deny For Failed Password Attempts</title>
<description>
To configure the system to lock out accounts after a number of incorrect login
diff --git a/RHEL/7/input/auxiliary/transition_notes.xml
b/RHEL/7/input/auxiliary/transition_notes.xml
index c1339c9..745e5c1 100644
--- a/RHEL/7/input/auxiliary/transition_notes.xml
+++ b/RHEL/7/input/auxiliary/transition_notes.xml
@@ -9,7 +9,7 @@
<note ref="768" auth="GG" rule="">This is not covered in RHEL 6 content</note>
-<note ref="766" auth="GG" rule="deny_password_attempts">This is covered in
RHEL 6 content</note>
+<note ref="766" auth="GG" rule="accounts_passwords_pam_faillock_deny">This is
covered in RHEL 6 content</note>
<note ref="762" auth="GG" rule="">This is not covered in RHEL 6 content</note>
diff --git a/RHEL/7/input/checks/accounts_passwords_pam_faillock_deny.xml
b/RHEL/7/input/checks/accounts_passwords_pam_faillock_deny.xml
new file mode 120000
index 0000000..7555d49
--- /dev/null
+++ b/RHEL/7/input/checks/accounts_passwords_pam_faillock_deny.xml
@@ -0,0 +1 @@
+../../../../shared/oval/accounts_passwords_pam_faillock_deny.xml
\ No newline at end of file
diff --git a/RHEL/7/input/profiles/rht-ccp.xml
b/RHEL/7/input/profiles/rht-ccp.xml
index f761500..cc17b32 100644
--- a/RHEL/7/input/profiles/rht-ccp.xml
+++ b/RHEL/7/input/profiles/rht-ccp.xml
@@ -10,6 +10,7 @@
<refine-value idref="var_accounts_password_minlen_login_defs" selector="6"/>
<refine-value idref="var_password_max_age" selector="90"/>
<refine-value idref="var_accounts_minimum_age_login_defs" selector="7"/>
+<refine-value idref="var_accounts_passwords_pam_faillock_deny" selector="5" />
<refine-value idref="var_accounts_password_warn_age_login_defs" selector="7"/>
<refine-value idref="var_password_pam_cracklib_retry" selector="3"/>
<refine-value idref="var_password_pam_cracklib_dcredit" selector="1"/>
@@ -58,7 +59,7 @@
<select idref="accounts_password_pam_cracklib_ocredit" selected="true"/>
<select idref="accounts_password_pam_cracklib_lcredit" selected="true"/>
<select idref="accounts_password_pam_cracklib_difok" selected="true"/>
-<select idref="deny_password_attempts" selected="true"/>
+<select idref="accounts_passwords_pam_faillock_deny" selected="true"/>
<select idref="set_password_hashing_algorithm_systemauth" selected="true"/>
<select idref="set_password_hashing_algorithm_logindefs" selected="true"/>
<select idref="set_password_hashing_algorithm_libuserconf" selected="true"/>
diff --git a/RHEL/7/input/system/accounts/pam.xml
b/RHEL/7/input/system/accounts/pam.xml
index d17c439..fe14c0a 100644
--- a/RHEL/7/input/system/accounts/pam.xml
+++ b/RHEL/7/input/system/accounts/pam.xml
@@ -414,7 +414,7 @@ one to use pam_faillock,
and a second to use unlock_time and set it to a Value
-->
-<Rule id="deny_password_attempts" severity="medium">
+<Rule id="accounts_passwords_pam_faillock_deny" severity="medium">
<title>Set Deny For Failed Password Attempts</title>
<description>
To configure the system to lock out accounts after a number of incorrect login
diff --git a/shared/oval/accounts_passwords_pam_faillock_deny.xml
b/shared/oval/accounts_passwords_pam_faillock_deny.xml
new file mode 100644
index 0000000..1cc6c09
--- /dev/null
+++ b/shared/oval/accounts_passwords_pam_faillock_deny.xml
@@ -0,0 +1,49 @@
+<def-group>
+ <definition class="compliance" id="accounts_passwords_pam_faillock_deny"
version="1">
+ <metadata>
+ <title>Lock out account after failed login attempts</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ <platform>Red Hat Enterprise Linux 7</platform>
+ </affected>
+ <description>The number of allowed failed logins should be set
correctly.</description>
+ <reference source="swells" ref_id="20131025" ref_url="test_attestation"
/>
+ </metadata>
+ <criteria>
+ <criterion comment="pam_faillock.so deny value set in system-auth"
test_ref="test_accounts_passwords_pam_faillock_deny_system-auth" />
+ <criterion comment="pam_faillock.so deny value set in password-auth"
test_ref="test_accounts_passwords_pam_faillock_deny_password-auth" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="check maximum failed login attempts allowed in /etc/pam.d/system-auth"
id="test_accounts_passwords_pam_faillock_deny_system-auth" version="1">
+ <ind:object
object_ref="object_accounts_passwords_pam_faillock_deny_system-auth" />
+ <ind:state
state_ref="state_accounts_passwords_pam_faillock_deny_system-auth" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="check maximum failed login attempts allowed in
/etc/pam.d/password-auth"
id="test_accounts_passwords_pam_faillock_deny_password-auth" version="1">
+ <ind:object
object_ref="object_accounts_passwords_pam_faillock_deny_password-auth" />
+ <ind:state
state_ref="state_accounts_passwords_pam_faillock_deny_password-auth" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object
id="object_accounts_passwords_pam_faillock_deny_system-auth" version="1">
+ <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
+ <ind:pattern operation="pattern
match">^\s*auth\s+(?:(?:required))\s+pam_faillock\.so.*deny=([0-9]*).*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or
equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object
id="object_accounts_passwords_pam_faillock_deny_password-auth" version="1">
+ <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
+ <ind:pattern operation="pattern
match">^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so.*deny=([0-9]*).*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or
equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state
id="state_accounts_passwords_pam_faillock_deny_system-auth" version="1">
+ <ind:subexpression datatype="int" operation="equals"
var_ref="var_accounts_passwords_pam_faillock_deny" />
+ </ind:textfilecontent54_state>
+
+ <ind:textfilecontent54_state
id="state_accounts_passwords_pam_faillock_deny_password-auth" version="1">
+ <ind:subexpression datatype="int" operation="equals"
var_ref="var_accounts_passwords_pam_faillock_deny" />
+ </ind:textfilecontent54_state>
+
+ <external_variable comment="number of failed login attempts allowed"
datatype="int" id="var_accounts_passwords_pam_faillock_deny" version="1" />
+</def-group>
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
